NetScaler 10.5 Enhancement Release Notes

NetScaler 10.5 has the following enhancement releases:
Note: Enhancement releases are based on a corresponding main release. For example, enhancement release Build 51.1017.e is based on the main release Build 51.10 release. For a more comprehensive list of issues, see the Build 51.10 release notes.
Review the enhancements, bugs fixed, and known issues that are provided for the latest released version. For more specific details on previously released builds, refer to the release notes copy (html) that is provided on the Citrix downloads page.
Note: You can find the build in which the issue was provided by viewing the [From Build xxxx] label that is provided below each issue.

Quick links Other links
What's New?
The list of enhancements released in Build 51.1017.e.
  • RADIUS Responder Support
    The NetScaler ADC default expressions language now supports RADIUS expressions in Responder policies. You can use the new RADIUS expressions to construct simple responses, such as rejecting RADIUS requests from specific networks. Responder does not need to contact the RADIUS server to generate a response, so even if all RADIUS servers are down, it can send an error message to RADIUS requests instead of simply dropping those requests.
    For example, to create a Responder policy to block logins from the IP, you would type the following:
    > add responder action resp_act_radius_reject respondwith radius.new_accessreject
    > add responder policy resp_pol_radius_reject "radius.req.avp(4).value.eq(\"\")" resp_act_radius_reject
    > bind responder global resp_pol_radius_reject 102 END -type RADIUS_REQ_OVERRIDE
    To add a responder policy label for policies containing RADIUS expressions, you use "-policylabeltype RADIUS" as shown below:
    > add responder policylabel <name> -policylabeltype RADIUS
    For a more complete description of RADIUS policy expressions and how they can be used, see the NetScaler documentation on AppExpert.
    [From Build 51.1017.e] [#406254]
  • RADIUS Rewrite Support
    The NetScaler ADC default expressions language now supports RADIUS expressions in Rewrite policies. You can add new RADIUS attribute-value pairs (AVPs), delete AVPs, and replace AVPs with different AVPs before forwarding a request to the RADIUS server or a response to the client. You can use the new RADIUS expressions to rewrite connections between users authenticating to AAA-TM and the RADIUS authentication server. Among other things, you can:
    * Remove the "domain\" portion of the username attribute before sending the authentication request to the RADIUS server:.
    * Insert vendor specific attributes, such as an MSISDN field used by a telephone company.
    * Rewrite RADIUS accounting values to fit a prescribed standard format, such as modifying the Calling-Stating-Id so that it consists of a leading "1" followed by the ten-digit MDN value.
    * Insert the RADIUS Accounting "Called-Station-Id" AVP into the received message. 
    The following types of Rewrite actions support RADIUS expressions:
    * DELETE
    You can use any RADIUS expression in a Rewrite policy. Rewrite policies that contain RADIUS expressions are supported in both the request and response flows. Request policies are evaluated after Content Switching and Responder policies.
    You can bind request-side Rewrite policies that contain RADIUS expressions to the RADIUS_REQ_OVERRIDE and RADIUS_REQ_DEFAULT bind points, and response-side policies to the RADIUS_RES_OVERRIDE and RADIUS_RES_DEFAULT bind points. You can use the new RADIUS_REQ and RADIUS_RES elements when creating Rewrite policy labels with RADIUS expressions.
    To add a Rewrite action and policy to insert the Called-Station-ID AVP into the received message, and bind the policy to the RADIUS request override bind point, you could type the following commands:
    > add rewrite action rw_act_insert_csid insert_before radius.req.avp_end "radius.new_avp(34, RADIUS.REQ.AVP(30).VALUE)"
    > add rewrite policy rw_pol_insert_csid "RADIUS.IS_SERVER" rw_act_insert_csid
    > bind rewrite global rw_pol_insert_csid 20 NEXT -type RADIUS_REQ_OVERRIDE
    For a more complete description of RADIUS policy expressions and how they can be used, see the NetScaler documentation on AppExpert.
    [From Build 51.1017.e] [#406252]
Large Scale NAT
  • Large Scale Network Address Translation
    The NetScaler ADC now supports NAT44 Large Scale NAT (LSN) and is compliant with RFC 6888, 5382, 5508, and 4787.
    The phenomenal growth of the internat has resulted in the shortage of public IPv4 addresses. CGN provides a solution to this issue by maximizing the use of available public IPv4 addresses by sharing few public IPv4 addresses among a large pool of Internet users. CGN is a collection of technologies and NAT44 is one of them.
    NAT44 LSN translates private IPv4 address in public IPv4 addresses. It includes network address and port translation methods to aggregate many private IP addresses into fewer public IPv4 addresses. NAT44 LSN is designed to handle NAT in large scale.
    The LSN feature of the NetScaler ADC is very useful for Internet Service Providers (ISPs), carriers, and in enterprise data centers, providing millions of translations to support a large number of users, and at very high bandwidth throughput.
    Note: Large Scale NAT is also called Carrier Grade NAT.
    The following are some of the sub-features of LSN on a NetScaler ADC:
    * Mapping: Support of Endpoint-independent mapping (EIM), Address-dependent mapping ( ADM), and Address-Port dependent mapping.
    * Filtering: Support of Endpoint-independent filtering (EIF), Address-dependent filtering, and Address-Port-dependent filtering.
    * Quotas: Configurable limits on number of ports and sessions per subscriber.
    * Static Mapping: Support of manually defining an LSN mapping.
    * Hairpin Flow: Support for communication between subscribers or internal hosts using public IP addresses.
    * ALGs: Support of application Layer Gateway (ALG) for FTP, ICMP, and TFTP protocols.
    * LSN Clients: Support for specifying or identifying subscribers for LSN NAT by using IPv4 addresses and extended ACL rules.
    * Deterministic/ Fixed NAT: Support for pre-allocation of block of ports to subscribers for minimizing logging.
    * Logging: Support for logging LSN session for law enforcement.
    [From Build 51.1017.e] [#316909]
Load Balancing
  • Support for SIP Load Balancing over TCP/TLS
    The NetScaler ADC now supports load balancing SIP traffic over TCP or TLS. To configure you ADC to load balance SIP requests to a group of SIP proxy servers, create a load balancing virtual server with the load balancing method and the type of persistence set to one of the following combinations:
    - Call-ID hash load balancing method with no persistence setting
    - Call-ID based persistence with least connection or round robin load balancing method
    - Rule based persistence with least connection or round robin load balancing method
    Also, a number of new default syntax expressions have been added that operate on SIP connections. These expressions can be bound only to SIP based (sip_udp, sip_tcp or sip_ssl) virtual servers, and to global bind points. You can use these expressions in content switching, rate limiting, responder, and rewrite policies.
    [From Build 51.1017.e] [#413074, #246718, #501281]
  • Support for SMPP Load Balancing
    The NetScaler ADC now supports SMPP load balancing and provides optimal distribution of SMS requests across your servers, preventing poor performance and outages. To configure your ADC for SMPP load balancing, add an ESME as a user on the ADC, configure an SMPP load balancing virtual server and service, and specify a custom server ID in the service configuration.
    A new monitor of type SMPP is available to monitor SMPP servers. This monitor opens a TCP connection and sends an enquire_link packet to check the status of the server. Depending on the success or failure of the probe, the service is marked as UP or DOWN.
    [From Build 51.1017.e] [#413106]
NetScaler Gateway
  • Users can log on to NetScaler Gateway by using Risk-Based Authentication that is part of delegated forms authentication support in StoreFront.
    [From Build 51.1017.e] [#448538, #477473]
  • If users are logged on with Citrix Reciever, if the server running the Secure Ticket Authority (STA) becomes unavailable, the STA ticket does not refresh and session reliability fails. To fix this problem, upgrade NetScaler Gateway to Version 10.5 Build 51.10xx.e. This release supports configuring multiple STA servers on NetScaler Gateway.
    [From Build 51.1017.e] [#404522]
  • You can configure content switching on the NetScaler Gateway appliance. When users connect, the appliance terminates SSL connections and then does content switching prior to honoring policies on NetScaler Gateway. For more information about content switching, see Content Switching in the NetScaler documentation.
    The following example contains the general steps for configuring content switching with NetScaler Gateway:
    1. Configure the NetScaler Gateway virtual server.
    2. Configure internal load balancing virtual servers for any traffic that is being content switched.
    3. Define the services over which connections communicate and then bind the services to the load balancer. For example, you can use the following commands:
    > add service artemis-xm HTTP 443
    > add service sharefile_server HTTP 443
    > bind lb_vserver lb_appc artemis_xm
    > bind lb_vserver lb_sharefile sharefile_service
    4. Define the URLs with specific patterns to go to one of the two internal load balancers. All other network traffic goes to NetScaler Gateway. For example, you can use the following commands:
    > add csaction appc_cs -targetLbVserver lb-appc
    > add csaction sharefile_cs -targetLBVserver lb-sharefile
    > add policy patset cs_list
    > bind patset cs_list "/zdm/"
    > bind patset cs_list "/devicecheck"
    > add cspolicy appc_cs -rule "http.req.uri.contains_any(cs_list)" -action appc_cs
    > bind vpn vserver artemis_ng -policy appc_cs -priority 10
    > add cspolicy sharefile_cs "http.req.url.startswith('/sharefile')...
    > bind vpn vserver argemis_ng -policy sharefile-cs -priorit 11
    [From Build 51.1017.e] [#438365]
  • Users can connect with single sign-on to Remote Desktop (RDP) connections through NetScaler Gateway.
    [From Build 51.1017.e] [#422442]
NetScaler SDX Appliance
  • SDX Bandwidth Metering
    Bandwidth metering provides the flexibility to dynamically allocate the bandwidth among various NetScaler instances. Dynamic bandwidth allocation helps in distributing unused bandwidth of an instance to other instances and at the same time ensuring that each instance always gets the minimum allocated bandwidth.
    Bandwidth metering also allows an administrator to monetize available bandwidth on the NetScaler SDX through a consumption based usage model. The enhancement also includes logging and reporting of bandwidth usage, in addition to allocation of bandwidth. The bandwidth usage can be viewed using various graphs.
    [From Build 51.1017.e] [#418076]
  • Resource Allocation using NetScaler SDX Administrative Domains
    NetScaler SDX administrative domains provides you with the capability to create multiple administrative domains. Creating domains allows the administrator to segregate resources based on their departments in the organization. This provides a better control over resources and how they are distributed among various domains for optimal use.
    [From Build 51.1017.e] [#250235]
Known Issues
The list of known issues available in Build 51.1017.e.
Configuration Utility
  • In the NetScaler configuration utility, the page at System> Network > IPs does not display the Type for LSN NATIPs, and the value shown for Traffic Domain is incorrect.
    Workaround: Display the values in the command line interface.
    [From Build 51.1017.e] [#505121]
Large Scale NAT
  • In an LSN deployment in high availability, after multiple HA fail overs, the current secondary node might have stale LSN session entries that were created or processed when the node was in primary state.
    Workaround: After a manual failover, remove (flush) the LSN session entries from the secondary node before manually running the HA synchronization operation.
    [From Build 51.1017.e] [#501440]
  • In an LSN deployment, FTP over Jumbo interfaces might not work.
    [From Build 51.1017.e] [#503177]
  • The NetScaler ADC might not support FTP passive LSN sessions in a large scale.
    [From Build 51.1017.e] [#502875]
  • With Endpoint Independent Mapping and Filtering settings, if the NetScaler ADC has more than 200 million LSN sessions, the NetScaler ADC might become unresponsive after you run the clear config operation.
    [From Build 51.1017.e] [#501304]
  • If the NetScaler ADC has more than 1 million LSN sessions, Configuration utility (GUI) might become unresponsive on refreshing the LSN session display page.
    [From Build 51.1017.e] [#502648]
Load Balancing
  • The NetScaler ADC ignores the replace_if_present_flag in the submit_sm message. This flag is used if the submitted message should replace an existing message, so the ADC should forward the submitted message to the server to which an earlier message with the same criteria (same source, destination, and service type) was sent. Instead, the ADC forwards it to the server selected by the load balancing algorithm.
    [From Build 51.1017.e] [#504085]
  • The NetScaler ADC does not forward a queued alert_notification message to an ESME even after the ESME is available.
    [From Build 51.1017.e] [#501658]
  • The following SIP parameters cannot be configured from the NetScaler GUI (Traffic Management > Load Balancing > Change SIP Settings):
    - RNAT secure source port
    - RNAT secure destination port
    Workaround: These parameters can be set by using the "set lb sipParameters -rnatsecuresrcport <port> -rnatsecuredstport <port>" command.
    [From Build 51.1017.e] [#504856]
NetScaler Insight Center
  • On the HDX Insight dashboard, the host delay value for XenDesktop 7.5 might display zero.
    [From Build 51.1017.e] [#505865]